Archive for the ‘Protecting Yourself and Others’ Category

Reality Leigh Winner (who, despite her name, was not a winner in reality) is currently sitting in a cage for the crime of leaking classified National Security Agency (NSA) documents. Unlike Edward Snowden, Reality didn’t purposely go public. But she made a series of major mistakes that allowed the NSA to identify her after she leaked the documents. Her first mistake was using a work computer to communicate with The Intercept:

Investigators then determined that Ms Winner was one of only six people to have printed the document. Examination of her email on her desk computer further revealed that she had exchanged emails with the news outlet, the indictment said.

By using a work computer to communicate with The Intercept, she made hard evidence against her easily available to her employer.

When reporters at The Intercept approached the National Security Agency on June 1 to confirm a document that had been anonymously leaked to the publication in May, they handed over a copy of the document to the NSA to verify its authenticity. When they did so, the Intercept team inadvertently exposed its source because the copy showed fold marks that indicated it had been printed—and it included encoded watermarking that revealed exactly when it had been printed and on what printer.

Most major printer manufacturers watermark any pages printed by their printers. The watermarks identify which printer printed the document. In addition to the physical printer, the watermark on the document posted by The Intercept also included a timestamp of when the document was printed.

Reality’s third mistake was trusting a third-party to guard her anonymity. Because of The Intercept’s history of working with leakers it’s easy to assume that the organization takes precautions to guard the identities of its sources. However, a single mistake, posting the printed document without editing out the watermark, gave the NSA enough evidence to narrow down who the leaker could be.

The lesson to be learned from this is that you alone are responsible for maintaining your anonymity. If you’re leaking classified materials you need to do so in a way that even the individual or organization you’re leaking them to is unable to identify you.

When I discuss anarchism with statists they always have a litany of excuses to justify why they believe the violence of the State is necessary. Roads are a popular one but another popular excuse are the police. Statists always want to know who will provide protection in a stateless society. One characteristic of statists that always amuses me is their insistence that anarchists solve problems that their precious government haven’t managed to solve. So my usual response to the question of police is asking who provides protection now.

Let’s consider the security market. If the State’s police were doing an adequate job of providing protection one would expect that the security market would be pretty small. But the security market is booming. Homeowners have subscribed to security services such as alarm systems for decades now. Surveillance cameras have been around for decades as well. At first surveillance cameras were used in stores to deter and identify thieves but now the price of decent quality cameras is low enough that one can find them in homes. Other security products that are becoming popular are films that can be applied to windows to make breaking in by smashing through a windows very difficult. Door locks, padlocks, and other forms of access control have existed for ages. It’s not unusual for companies to hire private security guards. Some companies even hire armed security guards.

Even the personal defense market is booming. Self-defense classes are available in even modestly sized townships. The number of carry permits being issued has continued to increase because many people, such as myself, realize that the only effective form of self-defense is what you have on you. In addition to carry permits, handguns designed to be easy to carry have been selling very well because people realize that the State’s police will take minutes, if you’re lucky, to get to you.

The State hasn’t done an effective job of providing security, which is why the market has stepped in. In the absence of government the market will continue serving the exact same function it’s serving today.

After eight years of unexplained absence, neoliberals who are critical of the State have returned. I’m not sure where they were hiding but I’m glad to see that they’re safe and sound. But a lot has change in eight years so I’m sure many of them are out of the loop when it comes to online security. For example, what if you’re a federal employee who was told by your employer to shut up and you wanted to criticize them for it but didn’t want to be fired from your parasitic job? This isn’t as easy as opening a Twitter account and blasting criticisms out 140 characters at a time. Your employer has massive surveillance powers that would allow it to discover who you are and fire you for disobedience. Fortunately, The Grugq has you covered.

The information in his post regarding Twitter is applicable to any activist who is utilizing social media and might raise the ire of the State. I think the most important piece of information in that article though is that you shouldn’t immediately jump in with the sharks:

These are a lot of complicated operational rules and guides you’ll have to follow strictly and with discipline. If you “learn on the job” your mistakes will be linked to the account that you’re trying to protect. It would be best that you go through the steps and practice these rules on a non sensitive account. Make sure you’re comfortable with them, that you know how to use the tools, that you understand what you’re supposed to do and why.

Some underground organisations have something they call “the first and last mistake,” which is when you break a security rule and it leads to discovery and exposure. You’re the resistance, you need to make sure you can use the tools of resistance without mistakes – so practice where it is safe, get the newbie mistakes out of the way, and then implement and operate safely where it matters.

If you’re planning to partake in activism you should do a few trail runs of creating and maintaining pseudonymous social media accounts. Maintaining the discipline necessary to avoid detection is no easy feat. It’s best to screw up when it doesn’t matter than to screw up when you could face real world consequences.

Big Brother is watching. Many people have been defeated by the constant improvements in government surveillance. Instead of fighting they lie themselves into complacency by claiming that they have nothing to hide. Don’t allow yourself to fall into that trap. Privacy is an arms race. As surveillance technology improves so do countermeasures:

The use of facial recognition software for commercial purposes is becoming more common, but, as Amazon scans faces in its physical shop and Facebook searches photos of users to add tags to, those concerned about their privacy are fighting back.

Berlin-based artist and technologist Adam Harvey aims to overwhelm and confuse these systems by presenting them with thousands of false hits so they can’t tell which faces are real.

The Hyperface project involves printing patterns on to clothing or textiles, which then appear to have eyes, mouths and other features that a computer can interpret as a face.

Camouflage is older than humans. In fact, much of what we know about camouflage comes from our observations of animals. As predators improved so did the camouflage of prey. To win against the predatory State we must constantly improve our defenses. Against surveillance one of the best defenses is camouflage.

I admire people like Adam Harvey because they’re on the front lines. Will their plans work? Only time will tell. But I’ll take somebody who is trying to fight the good fight and fails over somebody who has rolled over and surrendered to the State any day.

Here’s an easy thing you can do to make yourself safer: don’t go to malls around Christmas. When American shoppers come together near Christmas weird shit starts happening:

A series of apparently unconnected fights and disturbances broke out at malls across the country the day after Christmas, leaving shoppers desperate for an exit and authorities struggling to wrangle unruly crowds.

Several arrests and multiple injuries were reported — including an assault on an officer — and authorities and witnesses described panic-stricken scenes from Aurora, Colo. to East Garden City, N.Y.

Some of the videos are interesting to watch because they show shoppers trying to flee out of the main entrances, which results in too many people trying to cram through too little space. So here’s another thing you can do to make yourself safer: if you are in a mall when a brawl breaks out make a beeline for an emergency exit. Yes, it will probably set off an alarm but you’ll be out of the confined space with the psychopaths.

This weekend is forecast to be fucking brutal. First we’re supposed to be nailed by snow today and then Saturday and Sunday the temperatures are looking to be rather unpleasant. This kind of weather isn’t a joking matter. It kills people.

If you can avoid traveling do so. If you can’t make sure you don’t let your gas tank drop below half full. If you become stranded you can turn on the engine periodically to keep the inside temperature from dropping to lethal levels but only if you have gas in the tank (also, if you’re stuck in this situation, periodically get out and verify that the exhaust pipe is unobstructed by snow). Have a full winter survival kit in your vehicle that includes warm clothes (as in clothing appropriate for surviving this weather, not an old coat you had lying around that’s barely rated for 10 degrees, let alone -20 degrees), a heat reflective emergency blanket, a jump pack in case you need to jumpstart you vehicle, a small shovel and some kitty litter in case you need to get unstuck, and a winter rated sleeping bag in case you’re going to be stranded for a while.

This kind of weather is lethal, treat it with the seriousness it deserves.

Many people facing abuse will pull a restraining order against their abuser. Although my history of advising against interacting with the State may make some believe that I would advise against pursuing a restraining order the opposite is true. I highly recommend getting a restraining order against an abuser. When it comes to survival you should use every single tool available to you. A retraining order does offer several important legal protections, especially if you are in a situation where you have to defend yourself against your abuser. With that said, your survival strategy must include more than just a restraining order. A restraining order is literally a piece of paper and therefore can’t protect you if your abuser decides to violate it.

Lucas A. Jablonski, 25, of Anoka, was charged Monday in Anoka County District Court with second-degree murder in the death in mid-August of 34-year-old Becky L. Drewlo, whose parents have been her guardians since she turned 18 in November 2000.

Jablonski has been jailed since he was charged in early September with violating the terms of the restraining order, which was granted at the request of her mother in September 2014.

Earlier violations by Jablonski of the same restraining order — in October 2014 and January 2016 — led to convictions in both instances but no significant time in custody.

[…]

Jablonski had been living with Drewlo for several weeks leading up to her death, the complaint read, despite the restraining order being in force that “precluded [him] from having any contact with Ms. Drewlo and from being at her apartment.”

In the petition for the restraining order, Laura Drewlo noted that Jablonski had “taken advantage of Becky sexual[ly] many times. Becky lacks sufficient understanding [and] therefore doesn’t understand the consequences.” She said her daughter had considered Jablonski her boyfriend in the months leading up to the petition being filed.

She said her daughter was in a program that allowed her to live independently with professional assistance and keep a job.

This case is more complicated than many since the victim appears to have been suffering from a mental disability, which likely prevented her from being able to protect herself. My usual go to advice, taking measures to improve your ability to defend yourself, likely don’t apply here. But it does illustrate the limitations of a restraining order.

A restraining order is only effective if the person holding it reports infractions against the order and the police respond to the report. Even then punishments for violating restraining orders are often minor. In this case the suspect had violated the order multiple times but received no significant punishments. And if the violation turns into an attack the order has no ability to defend the victim.

Pulling a restraining order should be seen as a step in a multistep plan. A restraining order provides legal protections, which can be valuable in the aftermath of a self-defense case against an abuser. But they don’t offer any physical protection. Other steps in the plan should address this deficiency.

My hatred of using advertisements to fun “free” services is pretty well known at this point. However, it seems that a lot of people prefer the business model where they’re the product instead of the customer. Knowing that, and knowing that password reuse is still a significant security problem for most people, I feel the need to inform you that LastPass, which still remains a solid password manager despite being bought by LogMeIn, now has an ad supported “free” version:

I’m thrilled to announce that, starting today, you can use LastPass on any device, anywhere, for free. No matter where you need your passwords – on your desktop, laptop, tablet, or phone – you can rely on LastPass to sync them for you, for free. Anything you save to LastPass on one device is instantly available to you on any other device you use.

Anything that may convince more people to start using password managers is a win in my book. People who don’t utilize password managers tend to reuse the same credentials on multiple sites, which significantly increases the damage that a password database leak can cause. Furthermore, using a password manager lowers the hurdle for using strong passwords. Instead of having to use passwords that are memorizable a password manager also allows users to use long strings of pseudorandom characters, which means if a password database is breached the time it takes to unveil their password from its stored hash is significantly increased (because the attacker has to rely on brute force instead of a time saving method such as rainbow tables).

If money has been the only thing that has held you back from using a password manager you should take a look at LastPass’s “free” version. While ads are a potential vector for malware they can be blocked with an ad blocker and the risk of being infected through ads is significantly less than the risks involved in not using a password manager.

My biggest grip with the advertisement based model most Internet services have opted to use is that ads can easily be used to spread malware. Because of that I view ad blockers as security software more than anything. And the Internet seems to enjoy proving my point every few weeks:

As a security researcher, it’s always exciting to discover new vulnerabilities and techniques used by malicious actors to deliver malware to unsuspecting users. These moments are actually quite rare, and it’s increasingly frustrating from a researcher’s perspective to watch the bad guys continue to use the same previously exposed methods to conduct their malicious operations.

Today’s example is no different. We discovered a malvertising campaign on Google AdWords for the search term “Google Chrome”, where unsuspecting MacOS users were being tricked into downloading a malicious installer identified as ‘OSX/InstallMiez’ (or ‘OSX/InstallCore’).

In this case the malware didn’t spread through a browser exploit. Instead it exploited the weakest component of any security system: the human. The malware developers bought ads from Google so that their link, which was cleverly titled “Get Google Chrome”, would appear at the very top of the page. This malware was targeted at macOS users so if you were a Windows user and clicked on the link you’d be redirected to a nonexistent page but macOS users would be taken to a page to download the malware installer. After running the installer the malware opens a browser page to a scareware site urging you to “clean your Mac” and then downloads more malware that opens automatically and urges the user to copy it to their Applications folder.

As operating systems have become more secure malware producers have begun relying on exploiting the human component. Unfortunately, it’s difficult to train mom, dad, grandpa, and grandma on proper computer security practices. Explaining the difference between Google advertisement links and Google search result links to your grandparents is often a hopeless cause. The easiest way of dealing with that situation is to hide the ads, and therefore any malware that tries to spread via ads, from their view and ad blockers are the best tools for that job.

Unfortunately, the advertisement based model isn’t going away anytime soon. Too many people think that web services are free because, as Bastiat explained way back when, they’re not seeing the unseen factors. Since they’re not paying money to access a service they think that the service is free. What remains unseens are the other costs such as being surveilled for the benefit of advertisers, increased bandwidth and battery usage for sending and displaying advertisements, the risk of malware infecting their system via advertisements, etc. So long as the advertisement based model continues to thrive you should run ad blockers on all of your devices to protect yourself.

Anybody with more than two braincells to rub together and has even a modest knowledge of economic history knows that you can’t trust the State for your retirement. The government issued funny money is in a constant state of devaluation, which means every slip of its paper you save will be worth much less when you retire. Because of that, smart people find alternative ways to preserve their wealth for retirement. Some people invest a portion of their wealth in the hopes they can grow it faster than the rate of inflation while others prefer to rely on time proven precious metals.

If you look at historical trends the latter is a pretty solid choice if your goal is to preserve your purchasing power. However, if you’re going to opt for precious metals you need a secure method of storage, to spread out your assets, and probably a decent insurance policy because physical assets can be stolen:

ST. PAUL, Minn. – St. Paul Police are looking into an reported burglary that stripped a female resident of her entire life savings.

Police spokesman Steve Linders confirms that the alleged victim, a 57-year-old who lives on the 1600 block of Abell Street, had her valuables stashed in her bedroom because she does not trust banks. The thieves got away with 100 gold bars valued at more than $1,200 apiece, $60,000 cash and a diamond ring valued at $36,000.

I’ve seen quite a few comments making fun of the fact that her lack of trust in banks caused her to lose her life savings. But if your money is in a bank account its purchasing power is constantly being stolen in the form of inflation so acting high and mighty because you keep your government funny money in a bank is just as stupid as keeping all of your gold in one location and not properly securing it.

By the description of her storage method (stashing it in her bedroom) I’m left to assume she didn’t have her gold in a quality safe. If you’re going to have a lot of gold on hand you should invest in a decent safe that can be bolted to the ground (i.e. a decent gun safe). Bonus points can be had if you can also conceal the safe. But a quality safe offer two advantages. First, it greatly increases the time it takes for a burglar to get to your valuable assets. Burglaries are often smash and grab affairs where the burglars want to minimize the amount of time that they’re in a house. The more secure your assets are the less attractive they will be to a petty thief looking to get in and out. The second advantage a quality safe offers is fire protection. You don’t want to lose your retirement if your house burns down.

In addition to a quality safe you also want to spread your assets around. Keeping all of your eggs in one basket is not a wise idea. I would personally recommend against a safety deposit box at a bank because the State can and has seized them. And since the United States government has confiscated gold in the past it’s not unreasonable to think another gold confiscation might occur. You’re better off having trustworthy family members or close friends or have a second piece of property where you can install a quality safe and store some of your assets.

The third thing, which can be tricky if you’re concerned about another possible government gold confiscation, is having an insurance policy. Precious metals are valuable and valuable assets should be insured against loss. However, insuring your precious metals also means records of the metals existence will exist. If the government decided to do another gold confiscation they very well may require insurance companies to surrender information on customers who have insured precious metals. Then again, an insurance policy is a nice thing to have if burglars break into your home and get into your safe. It’s one of those risk-reward formulas that you have to figure out for yourself.

Storing your retirement savings in government funny money in a bank is not a good idea but if you’re going to do something else you need to be smart about. Simply buying gold isn’t a solid plan if you don’t have a way of securing that gold longterm.